5 Total
0 High severity
3 Medium severity
2 Low severity
Summary

This is Stripe's global sub-processor and service provider list, disclosing the third-party companies and Stripe affiliates that may process personal data on Stripe's behalf when providing payment processing, fraud detection, infrastructure, analytics, and customer support services. The list identifies sub-processors including entities such as Amazon Web Services, Google Cloud, and others, specifying the country of establishment and the processing purpose for each. Businesses using Stripe as a payment processor and subject to GDPR or similar data protection laws are expected to review this list and, depending on their DPA terms, may have the right to object to new sub-processor additions.

Technical / Legal Breakdown

This document is Stripe's publicly published list of Service Providers, Sub-Processors, and Affiliates, maintained pursuant to data protection obligations under frameworks including GDPR, which requires controllers and processors to disclose sub-processing arrangements. The document enumerates third-party entities and Stripe affiliates to which personal data may be transferred or made accessible in connection with Stripe's payment processing, fraud detection, infrastructure, analytics, customer support, and compliance services. The document identifies sub-processors by name, country of establishment, and processing purpose, consistent with standard GDPR Article 28 disclosure practice; however, the level of specificity regarding data categories transferred to each sub-processor varies, and the document does not enumerate retention periods or individual data subject rights mechanisms. This list engages GDPR and UK GDPR sub-processor disclosure obligations, SCCs and Data Transfer Addenda for cross-border transfers outside the EEA and UK, and equivalent transfer frameworks in other jurisdictions where Stripe operates; organizations subject to GDPR who use Stripe as a data processor are required under Article 28 to maintain awareness of and, in many cases, consent to sub-processor additions. Compliance teams at merchant organizations should evaluate whether their DPA with Stripe incorporates objection rights for new sub-processor additions and whether the listed cross-border transfers satisfy their own data transfer obligations.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Get Compliance
Medium — 3 provisions
Low — 2 provisions

Monitoring

Stripe has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Get Compliance

Cross-platform context

See how other platforms handle Cross-Border Data Transfers via Listed Sub-Processors and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FCRA
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
GLBA
United States Federal
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗

Related Analysis

Consumer Rights · April 21, 2026
Stripe's Reserve and Hold Authority: What the Terms Authorize

Stripe's terms authorize fund reserves, payout withholding, and account termination. Here is what the agreement states and what business ow…

Dependency Governance · May 27, 2026
When Infrastructure Providers Govern Platforms

The Kickstarter-Stripe controversy reveals how payment processors, cloud providers, and AI platforms quietly shape downstream policy decisi…

Dependency Governance · June 11, 2026
When AI Agents Start Paying for Things: Who Governs Machine-to-Machine Commerce?

Mastercard, Stripe, and Cloudflare are building payment infrastructure for autonomous AI agents. The governance layer is not keeping pace.

Archival ProvenanceSource & Archival Record
Last Captured July 6, 2026 22:43 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000929
Version ID CA-V-004527
SHA-256 d3bbbafbfb8cc4491fca587f4ef263fec6efb936c8a1da023ea29df350bec630
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans